9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-28279

GHSA ID

GHSA-vq33-26pr-r4h6

EPSS Score

0.85855%

CWE

CWE-1321

Published

5/24/2022

Updated

4/10/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-28279

CVE-2020-28279: flattenizer vulnerable to prototype pollution

Overview

Prototype pollution vulnerability in ‘flattenizer’ versions 0.0.5 through 1.0.5 allows an attacker to cause a denial of service and may lead to remote code execution.

Details

The NPM module 'flattenizer' can be abused by Prototype Pollution vulnerability since the function 'unflatten()' did not check for the type of object before assigning value to the property. Due to this flaw an attacker could create a non-existent property or able to manipulate the property which leads to Denial of Service or potentially Remote code execution.

PoC Details

There is no validation before assigning the property to check whether the assigned argument is the Object's own property or not, the property polluted will be directly be assigned thereby polluting the Object prototype. Later in the code, if there is a check to validate polluted the valued would be substituted as "true" as it had been polluted.

var flattenizer = require("flattenizer")
flattenizer.unflatten({'__proto__.polluted': true});
console.log(polluted);

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-28279

GHSA ID

GHSA-vq33-26pr-r4h6

EPSS Score

0.85855%

CWE

CWE-1321

Published

5/24/2022

Updated

4/10/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
flattenizer	npm	>= 0.0.5, <= 1.0.5	1.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability documentation explicitly names 'unflatten()' as the vulnerable function.
The PoC demonstrates exploitation through unflatten()
The GitHub fix shows prototype pollution prevention was added to the property explosion logic called by unflatten
The CWE-1321 mapping confirms this is a prototype pollution vulnerability in object property handling
The commit diff modifies the unflatten-related logic to skip proto properties

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w Prototyp* pollution vuln*r**ility in ‘*l*tt*niz*r’ v*rsions *.*.* t*rou** *.*.* *llows *n *tt**k*r to **us* * **ni*l o* s*rvi** *n* m*y l*** to r*mot* *o** *x**ution. ### **t*ils T** NPM mo*ul* '*l*tt*niz*r' **n ** **us** *y Prototyp* P

Reasoning

*. T** vuln*r**ility *o*um*nt*tion *xpli*itly n*m*s 'un*l*tt*n()' *s t** vuln*r**l* *un*tion. *. T** Po* **monstr*t*s *xploit*tion t*rou** un*l*tt*n() *. T** *it*u* *ix s*ows prototyp* pollution pr*v*ntion w*s ***** to t** prop*rty *xplosion lo*i* **

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-28279: flattenizer vulnerable to prototype pollution

Overview

Details

PoC Details

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI